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(54) Secure computing device 

(57) A secure computing system (100) stores a pro- 
gram, preferably the real time operating system (210). 
that is encrypted with a private key. A boot ROM (135) 
on the same integrated circuit as the data processor 
and inaccessible from outside includes an initiafization 
program and a public key corresponding to the private 
key. On* initialization the boot ROM decrypts at least a 
verification portion of the program. On verification nor- 
mal operation is enabled. On non-verification, the sys- 
tem could be disabled, or that application program could 
be disabled. A diagnostic program is stored at predeter- 
mined non-relocatable physical address in memory. The 
program is made-non-relocatable using a special table 
look-aside buffer (137) having a fixed virtual address 
register (611) and a conesponding fixed physical 
. address register (641). The secure computing system 



prevents unauthorized use of compressed video data 
stored in a first-in-first-out memory buffer by encrypting 
the compressed video data stream using at least a part 
of the chip identity number as an encryption key (703). 
The data is recalled from memory (705) and decrypted 
(706) as needed for video decompression The debug- 
ger/emulator tool commonly employed in program 
development is protected by a private encryption key 
used to encrypt at least verification token for the pro- 
gram. Upon each initialization of the debugger/ emula- 
tor, the secure computer system decrypts the 
verification token employing public decryption key (805) 
to indicate whether the program is secure or non- 
secure. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

10001] The technical field of this invention is secure 
computing systems, especially computer systems that 
may execute after manufacture field provided programs 
secured to prevent the user from unauthorized use of 
selected computer services. The computer system may 
ateo be functionally reprogrammable in a secure man- 
ner. 

BACKGROUND OF THE INVENTION 

[0002] There are currently many methods to deliver 
video programming to users of television besides over 
the air broadcast. Numerous service providers are 
available to supply this programming to television view- 
ers, Most of these service providers vend a hierarchy of 
services. Typically there is a basic service for a baste 
fee and additional services available for an additional 
fee. The basic services typically include the broadcast 
network programming, cable superstates, music and 
sports programming. These baste services are typically 
supported by advertizing. These basic programming 
services thus operate on the same economics as over 
the air broadcast television. The additional services typ- 
ically include the so called "premium" programming 
such as sports and movies. These premium program-, 
ming services are typically not advertizer supported. 
These are perceived by the television user as higher 
value services and television users are willing to pay 
their service providers additional fees for these serv- 
ices. The service provider passes much of this addi- 
tional fee to the content providers as their compensation 
tor supptying the programming. There may be one or 
several tiers of these premium services made avaflable 
by the service providers. At the top of this programming 
hierarchy is pay per view programming. Pay per view 
programming typically includes music concerts and 
sporting events perceived as time sensitive and highly 
valuable by the television users. Pay per view may also 
include video on demand, where the television user 
requests a particular movie be supplied. This hierarchy 
of service exists for aD current alternative methods of 
program delivery including television cable, over the air 
microwave broadcast end direct satellite television. 
[0003] Reception of such alternative programming 
services has required an additional hardware appliance 
beyond the user provided television receiver since the 
beginning of cable television. Initially this additional 
hardware appliance merely translated the frequency of 
the signal from the transmission frequency to a stand- 
ard frequency used in broadcast television. Such a 
standard frequency is receivable by the user provided 
television receiver. This additional hardware appliance 
is commonly know as a "set top box" in reference to its 
typical deployment on top of the television receiver. Cur- 



rent set top boxes handle the hierarchy of security pre- 
viously described. 

[0004] In the past these set top boxes have been fixed 
function machines, This means that the operational 

5 capabilities of the set top boxes were fixed-upon manu- 
facture and not subject to change once installed. A per- 
son intending to compromise the security of such a set 
top box would need substantial resources to reverse 
engineer the security protocol. Accordingly, such fixed 

io function set top boxes are considered secure. The 
future proposals for set top boxes places the security 
assumption in jeopardy. The set top box currently envi- 
sioned for the future would be a more capable machine, 
These set top boxes are expected to enable plural home 

is entertainment options such as the prior known video 
programming options, viewing video programming 
stored on fixed media such as DVD disks, Internet 
browsing via a telephone or cable modem and playing 
video games downloaded via the modem or via a video 

20 data stream. Enabling the set top box to be pro- 
grammed after installation greatly complicates security. 
It would be useful in the art to have a secure way to ena- 
ble field reprogramming of set top boxes without com- 
promising the hierarchy of video programming security. 

ss 

SUMMARY OF THE INVENTION 

[0005] The present application discloses a secure 
computing system. A program, preferably the secure 

30 computing system real time operating system, is 
encrypted with a private key. The data processor 
includes a boot ROM on the same integrated circuit that 
is inaccesstole from outside the integrated circuit The 
boot ROM includes the public key corresponding to the 

35 private key used to encrypt the program. On initializa- 
tion the boot ROM decrypts at least a verification por- 
tion of the program. This enables verification or non- 
verification ol the security of the program. The boot 
ROM may store additional pubfic keys for verification of 

40 application programs following verification of the real 
time operating system. Alternatively, these additional 
public keys may be stored in the non-volatfle memory. 
[0006] On verification of the security of the program, 
normal operation is enabled. There are several remedial 

45 actions that can take place on non-verification, The sys- 
tem could be disabled, or in the case of non-verification 
of an application following verification of the real time 
operating system only that application program could be 
disabled. The system could notify the system vendor of 

so the security violation using the modem of the secure 
computing system. 

[0007] A diagnostic program can check the security of 
a program. The program is stored at predetermined 
physical address in memory. Relocation of these physi- 
55 cal addresses where the program is stored is prevented, 
The diagnostic program is loaded and checks the pro- 
gram at the predetermined physical address against a 
standard. The diagnostic program then irxficates that 



